BayThreat, an annual bay area information security conference, was this past weekend. As in years past it was top notch and well organized. The conference returned to it’s old home, the Hacker Dojo, for this fourth incarnation.
Some highlights (in no particular order):
- Nick Sullivan spoke on white box cryptography, and the lack of a current open source implementation. White box cryptography attempts to address situations where the attacker has already compromised a host, but you want to prevent them from making use of encryption keys. Nick outlined some techniques, caveats and examples of current implementations. He then announced the Open WhiteBox project, which aims to release an open source implementation of this style of crypto.
- Allison Miller discussed using operations management paradigms to create risk models. Using (don’t call it big) data to find leading risk indicators allows you to focus on the variables that matter. She also covered using feedback loops to improve and adjust your model over time, keeping you responsive to new threats.
- Scott Roberts explained how GitHub uses Hubot to manage many aspects of operations, including security. Having the company exist in a series chatrooms allows everyone to be involved in responding to security incidents, something Scott compared to pair programming. GitHub has given Hubot a central role in management and is easily extensible, allowing others to customize it for their needs.
- Finally, Nathan McCauley from Square presented on the challenges of deploying hardware cryptographic devices on the cheap. Square allows merchants to accept payments via a small hardware device that plugs into a smartphone or tablet. Creating such a device brought interesting challenges such as: no random number generator, only 256 bytes of memory, low power and overseas production. The talk covered how Square addressed these during the design of their solution.
I also presented on surviving an application DoS attack. BayThreat did not disappoint, and I’ll definitely be returning next year. If you would like to know more about BayThreat and these subjects, check out their website at http://www.baythreat.org/.